Hosts

Hosts are separate from DNS entries (e.g. the data is not stored together) but it is required that a host have a valid DNS entry. Without DNS Kerberos doesn't really work..

Start as admin:

# kinit admin

Creating Hosts

For the sake of testing the assumption is going to be that none of these hostnames exist in your DNS. If you have valid hostnames you can use then you can drop the --force flag. We are going to touch briefly on enrollment but aren't actually going to enroll any client machines.

Create a host:

The domain name must be fully-qualified.

# ipa host-add --force panther.freeipa.org

This host is ready to be enrolled as a client machine using an authorized principal. Let us create one that can be registered using a simple password:

# ipa host-add --random --force lion.freeipa.org

Note in the output there is a random password. Using this password you could enroll the host.

Or if you want to set a specific password on a new host entry:

# ipa host-add --password=secret123 --force puma.freeipa.org

Searching for Hosts

We can search on either the FQDN or just the server name:

# ipa host-find puma

Returns the same as:

# ipa host-find puma.freeipa.org

Updating Hosts

We can also store information specific to the host such as operating system, etc:

# ipa service-del HTTP/puma.freeipa.org@FOO.ORG INVALID/puma.freeipa.org@FOO.ORG SSH/puma.freeipa.org@FOO.ORG
The deleting process is continued even though there exists an INVALID service in between. This should fail deleting
SSH/puma.freeipa.org@FOO.ORG if --continue option is not specified.

Managing a Host's services

By default a host can manage its own services. This is controlled by the managedby option.

Management is defined as retrieving a keytab and requesting certificates on behalf of a service or host.

So we can create a service for a host and get a keytab for it using the host's credentials:

It is possible to allow a host to manage other hosts or services on other
hosts.

If a host is added to the Managed By of another host this does not mean management of all services on that host. Each delegation has to be done independently. In other words to manage a host and all of its services you need to add the host to each host and service you want to delegate management for.

Create a new host:

# kinit admin
# ipa host-add panther.freeipa.org

And create a service on the host:

# ipa service-add test/panther.freeipa.org

Delegate managing the service:

# ipa service-add-host --hosts=slinky panther

Now we can use the host service principal on slinky to manage panther:

To create a certificate for this service first generate a CSR (Certificate Signing Request).

The subject you use is not particularly important because our backend CA will only use the value of CN. The CN value must be your hosts fully-qualified domain name.

You can generate the CSR using either OpenSSL:

# openssl req -out example.csr -new -newkey rsa:2048 -nodes -keyout private.key
Generating a 2048 bit RSA private key
.........................................................+++
.............................+++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:QLD
Locality Name (eg, city) [Default City]:BNE
Organization Name (eg, company) [Default Company Ltd]:MYDOMAIN.NET
Organizational Unit Name (eg, section) []:ECS
Common Name (eg, your name or your server's hostname) []:myserver.mydomain.net
Email Address []:authors@mydomain.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: